Privacy Policy

Threat Protect Group Pty Ltd

Privacy Policy (August 2015)

Our commitment to you

Threat Protect Group Pty Ltd (ABN 73 149 334 118) "Threat Protect" and each of its subsidiaries (together referred to in this privacy policy as the "Threat Protect" or as "us", "we" and "our") is committed to protecting your privacy and the confidentiality of your personal information and sensitive information in accordance with the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) (Privacy Act).

This privacy policy explains the types of personal information we collect and hold, how we collect, hold and use this information, the purpose for which we collect, hold, use and disclose this information, who we may disclose it to, how you can access and seek a correction of personal information we hold about you, how you can make a privacy complaint and whether we may disclose information to overseas recipients.

Updates to our privacy policy

We are constantly reviewing all of our policies and attempt to keep up-to-date with constantly changing technology, law and market place practices.

As a consequence, we may change our privacy policy from time to time or as the need arises.

This privacy policy was last updated in August 2015. This policy replaces any other privacy policy published by us to date and we reserve the right to change this policy at any time. We encourage you to regularly check for any updates to our privacy policy.

Information we collect and why we collect it

Information collected

The information we collect and hold about you may include:

Personal information, being information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Sensitive information, being information or an opinion about an individual’s personal preferences or characteristics (such as race, ethnicity, political views, memberships, religious or philosophical beliefs and sexual preference), health information and/or biometric information.

Sensitive information is afforded a higher level of protection than other kinds of information under the Privacy Act. We collect and hold sensitive information only when you knowingly and voluntarily submit it. We will rarely collect and hold this kind of information.

The types of personal information that we may collect and hold includes the following:

full name, postal address, email address, telephone and fax numbers;

date of birth, occupation and gender;

full name, postal address and telephone number of next of kin;

any other information you provide to us by any means; and

electronic or other geo-location identifiers.

Consequence of refusal

We understand that you may not want to provide certain information to us. If you choose not to provide us with some or all of the information we request, we may not be able to provide you with the services you require.

How we collect your personal information

How we collect your personal information

We usually collect personal information directly from you. This may be done in person, over the phone, by email or through our website. We may collect personal information from or about you in a number of circumstances, including:

from publicly available sources of information;

when you use our services or contact us directly;

when you sign up to receive information from us (e.g. when you sign up to our mailing list);

when you use our website;

when you use our mobile app or other software;

from third party sources; and

when we are legally required to do so.

Means of collection

We will only collect your personal information when the information is reasonably necessary for, or directly related to, one or more of our functions or activities.

We will only collect your sensitive information when you consent to the collection of the information and the information is reasonably necessary for, or directly related to, one or more of our functions or activities.

We will, at all times, take reasonable steps to collect your personal information directly from you, unless:

it is unreasonable or impracticable for us to do so;

you consent to the collection of the information from someone other than you; or

we are required or authorised by or under an Australian law, or a court/tribunal order, to collect the information from someone other than you.

In the event we receive your personal information from a third party, we will take reasonable steps to inform you of that and seek your consent to our collection of that information. Should you refuse to consent to that collection, we will take reasonable steps to destroy or de-identify that information.

Collection of personal information through cookies on our website

Cookies are data that a website transfers to an individual’s hard drive for record-keeping purposes. Cookies can facilitate a user’s ongoing access to and use of a website. They allow us to track usage patterns and to compile data that can help us improve our content and target advertising.

If you do not want your information collected through the use of cookies, there is a simple procedure in most browsers that allows you to deny or accept the cookie feature. You should note that cookies may be necessary to provide you with certain features on our website.

We may record your visit through the use of cookies and may log the following information for purely statistical purposes:

your server address;

your to-level domain name (e.g. “com”, “gov”, “au” etc.);

the date and time of the visit to the site;

the pages accessed and documents downloaded;

the previous site visited; and

the type of browser used.

Notification of collection

When we collect personal information about you, we will take reasonable steps to notify you or to otherwise ensure you are aware of certain matters. These matters include our identity as an organisation and contact details, the context of the collection, whether the collection is required or authorised by law, the purposes of the collection, our usual disclosure of personal information, information about our privacy policy and whether we are likely to disclose your personal information to overseas recipients.

We will take reasonable steps to provide this notification before, or at the time we collect your personal information. If it is not possible for us to do so, we will take reasonable steps to provide notification as soon as practicable after collection.

How we hold and store your information

All of the personal and sensitive information we collect is stored locally on our servers and on our back-up system. Our electronic databases are maintained by our information systems branch and firewalled.

We store personal information through a third party data storage provider which is PCI DSS Compliant and is a ISO9001: 2008 Certified System.

We also maintain a number of hardcopy collections of records and electronic databases for use by staff. Current files are held on site or with project managers, whilst non-current files are archived to an offsite commercial storage facility.

Security

We take reasonable steps to protect the security, integrity and privacy of your personal and sensitive information.

Our personnel are required to respect the confidentiality of personal information and the privacy of individuals.

We use a variety of physical and electronic security measures, including restricting physical access to our offices and firewalls and secure databases to keep personal information secure from misuse, loss or unauthorised use or disclosure.

We regularly review our various security measures in order to ensure that they are up to date and fit for purpose.

Information retention and destruction practices

We will only retain your personal and/or sensitive information as long as it is necessary for us to do so or as required by legislation or a court or tribunal order.

We have an internal system that is used to identify information that is no longer necessary for us to retain and periodically review our data in accordance with this system. Once the purpose for which that information was collected expires and/or upon periodic review, we will take reasonable steps to destroy that information or to de-identify that information, so that it can be retained for statistical purposes.

Information which is retained for statistical purposes may be used to improve our services and to make them more responsive to the needs of our customers. This statistical compilation and analysis of information may also be used by us or provided to others as a summary report for marketing, advertising or research purposes.

Unsolicited personal information

We may receive your personal or sensitive information as unsolicited personal information. Unsolicited personal information is information received by an organisation, such as the Threat Protect, where that organisation took no active steps to collect that information.

If we receive unsolicited information, we will determine whether we could have collected the information under Australian Privacy Principle 3 [http://www.oaic.gov.au/privacy/privacy-act/australian-privacy-principles] (which governs the collection of solicited personal information). Where we could not have collected the information consistent with Australian Privacy Principle 3, we will destroy or de-identify the information as soon as practicable, so long as it is lawful and reasonable for us to do so.

Dealing with us via pseudonym or anonymously

In most circumstances, it will not be possible or practicable for us, in the course of conducting our activities, to deal with individuals who have not identified themselves or who have used a pseudonym.

We are required and/or authorised under Australian law, in certain circumstances, to deal only with individuals who have identified themselves.

However, on the expiry of the purpose for which certain information was collected and/or on the request of the individual the subject of the information, we will take reasonable steps to de-identify that information through the use of pseudonyms and/or to make the applicable personal details anonymous.

The purpose of our collection, holding of, use or disclosure of information

How and in what circumstances we use or disclose your personal information

We will use and disclose your personal information to provide our services to you or to fulfill administrative functions associated with our organisation and otherwise as required or permitted by law. In general, we will use and disclose your personal information for the following purposes:

for the purposes for which the information was provided by you;

to provide and market our services and products to you;

to assist you with your enquiries or to communicate with you with respect to an existing product or service;

to help us manage and enhance our services (including to obtain feedback from you after the provision of our services or for research into the development of new products and services or the improvement of our existing products or services);

for accounting, risk management, record keeping and staff training purposes;

other third parties for the purpose of providing you with our services or otherwise in connection with your relationship with us, including:

service providers which provide products and services requested by you; and

your representatives and service providers to you (such as your lawyer, banker, executor, administrator or trustee);

to comply with our legal obligations and requirements;

to enforce any obligations owed to us; and

any other purpose related to any of the above.

Purpose for use

Your personal information will only be used and disclosed for the primary purpose for which it was collected (as disclosed in our privacy policy or at the time the information was collected) or for certain secondary purposes in the circumstances outlined below.

We will only make use of or disclose your personal information for a secondary purpose if:

you have consented to the use or disclosure of that information;

you would reasonably expect us to use or disclose the information for the secondary purpose;

the use or disclosure of that information is required or authorised by or under legislation or court/tribunal order;

a “permitted general situation” exists in relation to the use or disclosure of the information by us; or

we reasonably believe that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

In the event we disclose information pursuant to paragraph 39.5 above, we will make a written record of the use or disclosure.

Who can access your personal information and what conditions apply to their use?

As a general rule, your personal information will only be accessed and/or viewed by our staff and officers, as and when it is appropriate or necessary. However, your personal information may also be accessed, from time to time, by:

our sub-contractors;

our strategic partners and business associates; and

our suppliers (i.e. third parties who provide services to us) such as:

service providers and data processors working on our behalf and providing services such as hosting and maintenance services, analysis services, email messaging services, delivery services, handling of payment transactions, marketing etc; and

our professional advisers (such as accountants, lawyers, auditors).

Where a party, other than an employee or officer of ours, has access to the personal information of individuals, they will be required to comply with the applicable Australian privacy legislation and, where appropriate, to enter into privacy agreements with us.

The access and use of your personal information by a third party will be restricted to the purposes outlined in this policy.

Direct marketing

We will only use or disclose your personal information (except sensitive information) for the purposes of direct marketing if:

you would reasonably expect us to use or disclose the information for the purpose of direct marketing or you have consented to the use or disclosure of the information for that purpose (except where it is impracticable to obtain that consent); and

we provide you with a simple means of opting out of receiving any further direct marketing communications from us; and

you have not requested that we cease sending you direct marketing communications.

We will not provide your personal information to third parties outside of the Threat Protect Group without your consent.

We will only make use of your sensitive information for direct marketing purposes if you have consented to the use or disclosure of that information for that purpose.

If you receive direct marketing communications from us or from an associated entity, you are entitled to:

request that you receive no further direct marketing communications from us and/or the associated entity; and

request that we disclose the source of the information to you.

Opting-out

We will take reasonable steps to facilitate a request by you to opt-out of receiving direct marketing communications. This may be a request to opt-out of receiving certain communications or to opt-out altogether. We will not charge you for making such a request or for giving effect to such a request.

We will take reasonable steps to give effect to such request within a reasonable period of time after the request is made (unless it is unreasonable or impracticable for us to do so).

Emails

We may use your email address to send you our publications, newsletters, or updates. We may also contact you by email to seek your opinion or comment on our website and our service offerings.

We, at all times, aim to comply with the terms of the Spam Act 2003 (Cth) and will not send unsolicited commercial electronic messages or "spam". All commercial electronic messages sent by us include information about the individual or organisation who authorised the sending of the message.

You can unsubscribe from our emails at any time. You can also contact us if you would prefer not to receive this information and we will comply with your request.

Disclosure of personal information to overseas recipients

We may disclose personal information to third party suppliers and service providers located overseas for some of the purposes listed above. This does not diminish your rights and we will take all reasonable steps necessary to ensure transferred information is kept secure as required by applicable data privacy laws. By submitting your personal information to us you agree that you do not object to any such transfer, processing or storage.

Should you have any queries about the potential disclosure of your personal information to an overseas recipient, please contact our Chief Data Protection Officer.

How can you access and/or seek the correction of your personal information?

You have a right to access the personal information we hold about you and to request the correction of any personal information we hold about you.

We will take reasonable steps to ensure that the personal information we collect and disclose is accurate, up to date, complete and relevant.

Requests for access to personal information

You can request us to provide you with access to the personal information we hold about you.

Requests for access to information can be made to our Chief Data Protection Officer at the contact details provided below. In all cases we will need to verify you identity before giving you access.

We will take reasonable steps to respond to a request for access within a reasonable period of time after the request is made (within 30 calendar days) and to give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.

A fee may be payable where the information you have requested is not readily available and will involve a considerable amount of for us to compile. We will inform you of the amount of the fee beforehand and respond to your request after payment is received.

We are not required to give you access to personal information to the extent that:

we reasonably believe that giving access would pose a serious threat to the life, health or safety of an individual, or to public health or public safety;

giving access would have an unreasonable impact on the privacy of other individuals;

the request is frivolous or vexatious;

the information relates to existing or anticipated legal proceedings and would not be accessible by the process of discovery in those proceedings;

giving access would reveal our intentions in relation to negotiations with you in such a way as to prejudice those negotiations;

giving access would be unlawful;

denying access is required or authorised by or under legislation or a court/tribunal order;

giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or

In the event that we refuse to give you access to the personal information requested by you, we will give you a written notice which sets out the reasons for the refusal (except to the extent that it would be unreasonable to do so) and the mechanisms available to you to complain about the refusal.

Request for correction of personal information

You can make a request for the correction and/or amendment of the personal information we hold about you informally in writing or pursuant to the terms of the Privacy Act.

Applications to have personal information held by us corrected or amended should:

be made in writing to our Chief Operations Officer;

provide enough information to determine what changes are required; and

provide you current contact details.

In the event we refuse to correct your personal information, we will give you a written notice which sets out the reasons for the refusal (except to the extent it would be unreasonable to do so) and the mechanisms available to you to complain about the refusal.

We will take reasonable steps to respond to a request for access within a reasonable period of time after the request is made (within 30 calendar days) and will not charge you for the making of the request or for the correction of the personal information.

How to give feedback or complain about a privacy breach

Should you wish to provide us with feedback with respect to our management of your personal information or to complain about a breach of our privacy obligations, please in the first instance contact our Chief Operations Officer.

Our Chief Operations Officer will take reasonable steps to respond to your complaint and/or feedback within 30 days of receipt by us.

In the event you are dissatisfied with the decision of the Chief Operations Officer and/or wish to lodge a general complaint with respect to our management of your personal information, please contact the Office of the Australian Information Commissioner at http://www.oaic.gov.au/.